b'                          UNCLASSIFIED\n\n       United States Department of State \n\n     and the Broadcasting Board of Governors \n\n               Office of Inspector General \n\n\n\n\n\n        Information Technology\n\n         Memorandum Report\n\n\n\nReview of the Information \n\n Security Program at the \n\n  Department of State \n\n\nReport Number IT-I-05-09, September 2005\n\n\n\n\n                              IMPORTANT NOTICE\n This report is intended solely for the official use of the Department of State or the\n Broadcasting Board of Governors, or any agency or organization receiving a copy\n directly from the Office of Inspector General. No secondary distribution may be\n made, in whole or in part, outside the Department of State or the Broadcasting\n Board of Governors, by them or by other agencies or organizations, without prior\n authorization by the Inspector General. Public availability of the document will\n be determined by the Inspector General under the U.S. Code, 5 U.S.C. 552.\n Improper disclosure of this report may result in criminal, civil, or administrative\n penalties.\n\n\n\n                           UNCLASSIFIED\n\n\x0c        Section 3545 of the Federal Information Security Management Act of 2002\n(FISMA)1 directs each agency to conduct an annual independent evaluation of its\ninformation security2 program and practices. FISMA provides a comprehensive\nframework for establishing and ensuring the effectiveness of controls over information\ntechnology (IT) that support federal operations and assets, and it provides a mechanism\nfor improved oversight of federal agency information security programs. Also, Office of\nManagement and Budget (OMB) implementation guidance for FISMA requires the\nOffice of Inspector General (OIG) to assess the development, implementation, and\nmanagement of the agency-wide plan of action and milestones (POA&M) process and to\nfocus on performance measures. In response, OIG performed an independent evaluation\nof the information security program and practices of the Department of State\n(Department).\n\n       The objective of this review was to assess the overall effectiveness of the\nDepartment\xe2\x80\x99s information security program and practices. More details on the scope and\nmethodology for this review are discussed in Appendix A. OIG received comments from\nthe Department and incorporated them as appropriate within the body of the report.\nComments from the Department are reprinted in Appendix B.\n\nResults in Brief\n         OIG found that the Department\xe2\x80\x99s information security program and practices\ncontinue to evolve under the leadership of the Chief Information Officer (CIO). Also, the\nDepartment has taken several actions to improve the effectiveness of the Department\xe2\x80\x99s\ninformation security program since last year\xe2\x80\x99s independent evaluation. The Department\nis in the process of upgrading the information technology application baseline to\nstrengthen the connections between enterprise architecture, e-Authentication, privacy,\nsystems authorization, the POA&M process, and the capital planning process. All system\nowners and information system security officers (ISSO) will be required to use the\nDepartment\xe2\x80\x99s automated web-based tool to standardize management of self-assessments,\nPOA&Ms, and performance measures for all data calls. The Department also ensures\nthat all deficiencies are included in the POA&Ms. The Department\xe2\x80\x99s web-based training\ntool is used to ensure that all employees receive an annual information security awareness\nbriefing.\n\n        Additionally, to identify the number of contractor services or facilities performing\nwork for the Department using their own systems or connecting to the Department\nnetworks, the Department has initiated a project to be completed within the next three\nyears. The Department has taken a proactive approach to improve patch management\noperations and customer service. The Department continues to operate a successful and\nrobust cyber incident response program.\n\n\n1\n Pub. L. No. 107-347, Title III, Sec. 301(b)(1); 44 U.S.C. 3545.\n\n2\n FISMA defines information security as protecting information and information systems from\n\nunauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, \n\nconfidentiality, and availability.\n\n\n\n                                                       1\n\n\x0c       However, OIG found several key areas that require senior management attention.\nThe Department still does not have a complete inventory of systems that includes major\napplications, minor applications, and general support systems.3 Also, IT security\nweaknesses found within a local area network are not included in the POA&M process\nbecause the Department does not consistently define a system throughout documentation\nand guidelines. OIG found several deficiencies in the patch management, configuration\nmanagement, and the information systems security programs as well.\n\n        The Department\xe2\x80\x99s certification and accreditation process has not been fully\nimplemented. All general support systems and major applications were certified and\naccredited during the 18-month special project. The next phase was to include the post\noperations, which most Department officials believe are the weakest link in the layered\nsecurity approach that the Department has implemented. All aspects of this project have\nnot been incorporated into the current evaluation and verification process, and the chief\ninformation security officer (CISO) has not provided formal guidance.\n\n       The separation of the cyber security roles and responsibilities continues to affect\nthe Department\xe2\x80\x99s information security program. The August 2004 Cyber Security Roles\nand Responsibilities Matrix assigns to the Bureau of Diplomatic Security (DS) many\noperational responsibilities including the systems-related site evaluation and verification\nfunction. OIG found that the meetings between DS and the Bureau of Information\nResource Management (IRM) do not result in clear statements of work, assignment of\nresponsibilities, and establishment of milestones. As reported last year, the Department\nhas no effective coordinating or monitoring mechanism to ensure that assigned\nresponsibilities are accomplished. Furthermore, OIG noted areas for improvement in the\nDepartment\xe2\x80\x99s Privacy Act implementation.\n\n       Additionally, implementation of information security at overseas posts and\ndomestic bureaus continues to require Department attention. OIG observed problems\nwith ISSO duties, patch management, contingency planning, and inappropriate use at\nmany of the 36 sites visited.\n\nBackground\n       Information security is imperative to any organization that depends on\ninformation systems and computer networks to carry out its mission. The expansion in\ncomputer interconnectivity and the rapid increase in the use of the Internet are changing\nthe way the government, private sector, and much of the world communicate and conduct\nbusiness. However, without proper safeguards, these developments pose serious risks\nthat make it easier for people and groups with malicious intent to intrude into\ninadequately protected systems and use such access to obtain sensitive information,\ncommit fraud, disrupt operations, or launch attacks against other computer networks and\n\n\n3\n  The Department defines a general support system as an interconnected information resource under the\nsame direct management control that shares common functionality.\n\n\n                                                   2\n\n\x0csystems. Furthermore, the number of people with computer skills is increasing, and\nintrusion techniques and tools are readily available and relatively easy to use.\n\n        Faced with continued concerns about information security risks to the federal\ngovernment, Congress passed and the President signed FISMA into law in December\n2002. The new law recognizes the highly networked nature of the current federal\ncomputing environment and provides for a comprehensive framework for ensuring the\neffectiveness of information security controls over information resources that support\nfederal operations and assets. FISMA requires agencies, at a minimum, to develop and\nmaintain controls to protect federal information and information systems; improve\noversight of federal agency information security programs; develop an agency-wide\ninformation security plan; incorporate information security principles and practices\nthroughout the life cycles of the agency\xe2\x80\x99s information systems; and ensure that the\ninformation security plan is practiced throughout the life cycles of the agency\xe2\x80\x99s\ninformation systems.\n\n        FISMA also assigns the agency\xe2\x80\x99s CIO the authority and responsibility to\nadminister key functions under the statute, including designating a senior agency\ninformation security officer who possesses professional qualifications and reports to the\nCIO and assists the CIO in developing and maintaining an agency-wide information\nsecurity program; developing and maintaining information security policies, procedures,\nand control techniques to address all applicable requirements; training and overseeing\npersonnel with significant responsibilities for information security; and assisting senior\nagency officials with their responsibilities.\n\n        Finally, in addition to a number of other provisions, FISMA requires each agency\nto have performed an independent evaluation of its information security program and\npractices. OIG or the independent evaluator performing a review may use any audit,\nevaluation, or report relating to the effectiveness of the agency\xe2\x80\x99s information security\nprogram to do so. The agency is required to submit the independent evaluation, along\nwith its own assessment, to OMB as part of its annual budget request.\n\nDepartment\xe2\x80\x99s Progress in Addressing Information Security\n\nEffective Information Security Management Procedures\n\n       To assess the Department\xe2\x80\x99s information management security practices, OIG used\na subjective sample and selected four major application systems4 (American Citizens\nServices (ACS), Baseline Tool Kit Back End (BTKBE), Passport Lookout Tracking\nSystem (PLOTS), and Telegram Web Portal (Webgram)) and two general support\nsystems--Classified Network (ClassNet) and the Public Affairs Communicating\nElectronically (PACE) Network. The Bureau of Consular Affairs (CA) manages ACS\nand PLOTS; DS manages BTKBE; IRM manages Webgram and ClassNet; and the\n\n4\n The Department defines a major application as an application that requires special attention to security\ndue to the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or\nmodification of the information in the application.\n\n\n                                                     3\n\n\x0cBureau of Public Affairs (PA) manages PACE. OIG\xe2\x80\x99s assessment pertained to\nmanagement and operational controls and focused on security control reviews,\ncontingency planning, data integrity, security awareness, training, and education.\n\n        As shown in Table 1, all six systems have completed the certification and\naccreditation process and have documented risk assessments and security plans in place.\nSystems undergo security control testing during the system, testing, and evaluation phase\nof the certification and accreditation process, which is generally once every three years.\nThe Department has implemented annual contingency plan testing. One-third of the\nsystems (two of six) have had the impact levels determined. Two-thirds (four of six)\nsystems have not complied with the FISMA requirement to test and evaluate security\ncontrols annually. Department officials plan to improve these areas in FY 06.\n\nTable 1: Major Information System Results for Key System Security Elements\n\n                                                                             Tested\n                                                                            Security\n                                                                            Controls\n                                                                  Certified (within Impact\n                Risk                                     Security   and     the past Level\nSystem       Assessment Security Level Determined         Plans Accredited year) Determined\nACS             Yes                Yes                     Yes      Yes       No        No\nBTKBE           Yes                Yes                     Yes      Yes       No        No\nClassNet        Yes                Yes                     Yes      Yes       No        Yes\nPACE            Yes                Yes                     Yes      Yes       Yes       Yes\nPLOTS           Yes                Yes                     Yes      Yes       No        No\nWebgram         Yes                Yes                     Yes      Yes       Yes       No\n\n        Table 2 shows that ACS, PLOTS, Webgram, PACE and ClassNet have trained\nISSOs, but the BTKBE ISSO has not been trained. All of the reviewed systems have\ndocumented IT security self-assessments, which were performed using the National\nInstitute of Standards and Technology (NIST) Special Publications 800-26 as criteria, and\ncontingency plans, which were completed as part of the certification and accreditation\nprocess.\n\n\n\n\n                                            4\n\n\x0cTable 2: Results for Training, Planning, and Self-Assessment Elements\n                         Contingency Plans Tested or\n              Trained              Updated            Security Self\nSystem         ISSO         (within the past year)    Assessments\nACS             Yes                   No                  Yes\nBTKBE            No                   No                  Yes\nClassNet        Yes                   No                  Yes\nPACE            Yes                  Yes                  Yes\nPLOTS           Yes                   No                  Yes\nWebgram         Yes                  Yes                  Yes\n\nOIG\xe2\x80\x99s review of these systems found the following.\n\n\n\n\n              American Citizens Services\n\n        CA manages ACS, an automated system designed to provide services to\nAmerican citizens living and traveling abroad. The system received full accreditation to\noperate in July 2004. As part of the certification process, CA completed the system\nsecurity plan and the contingency plan. Also, CA completed the NIST self-assessment,\nand security controls for the system and contingency plans were tested as the system went\nthrough certification and accreditation. The bureau has not tested and evaluated security\ncontrols and the contingency plan within the past year.\n\n\n\n\n              Baseline Tool Kit Back End\n\n        DS manages BTKBE, a web-based system that provides trend analysis and\nautomated report generation of security assessments data. DS conducted and documented\na risk assessment, and developed and tested a systems security plan and contingency plan\nas part of the certification and accreditation process. The BTKBE also went through\nsecurity control testing. BTKBE received full accreditation to operate in August 2003.\n\n        BTKBE\xe2\x80\x99s primary ISSO has not attended the Department\xe2\x80\x99s Basic ISSO Training\nclass. Also, DS has not tested and evaluated security controls and the contingency plan\nwithin the past year.\n\n\n\n\n                                           5\n\n\x0c                              Classified Network\n\n       ClassNet, managed by IRM, is the global enterprise network that provides secure\ntransportation of classified information at domestic and foreign sites. ClassNet transports\ninformation classified up to the Secret level in addition to classified and unclassified e-\nmail and cable traffic for about 220 posts and 17 domestic bureaus and offices.\n\n       IRM conducted and documented a risk assessment, and developed and tested a\nsystem security plan and contingency plan as part of the certification and accreditation\nprocess. ClassNet underwent system, test, and evaluation in accordance with the\nDepartment\xe2\x80\x99s System Authorization Process Guide. Because of the length of time since\ncompletion of the verification and penetration testing and in special consideration of the\nunquantified risk, ClassNet received full accreditation to operate for 18 months in August\n2004.\n\n\n\n\n                     Public Affairs Communicating Electronically Network\n\n        PA manages PACE, an unclassified, Internet access network that supports 325\nusers and seven remote locations. PACE, which is not connected to the Department\xe2\x80\x99s\nunclassified network (OpenNet), was created to meet the need for Internet access when\nthis capability was absent at the departmental level. PA conducted and documented a\nrisk assessment, and developed and tested security controls and contingency plan as part\nof the certification and accreditation process. PACE received full accreditation in\nJanuary 2005.\n\n\n\n\n                                             6\n\n\x0c               Passport Lookout Tracking System\n\n       CA uses PLOTS to track passport fraud and issue a \xe2\x80\x9clookout\xe2\x80\x9d case for\nquestionable passport applications. A \xe2\x80\x9clookout\xe2\x80\x9d case identifies that the application\nrequires investigation. The system security and contingency plans for PLOTS were\ndeveloped, updated, and tested as part of the certification and accreditation process. The\nsystem received full accreditation in March 2004. The bureau completed a self-\nassessment on the system using NIST guidance but has not tested and evaluated security\ncontrols and the contingency plan within the past year.\n\n\n\n\n                             Telegram Web Portal\n\n       IRM manages Webgram, a web-enabled system developed for displaying\nunclassified and nonrestricted telegrams on the Department\xe2\x80\x99s Intranet. The system\nallows authorized users to retrieve their telegrams. OIG found that IRM completed the\nNIST self-assessment as the system went through the certification and accreditation\nprocess. In addition, IRM has developed, updated, and tested security and contingency\nplans. Webgram received full accreditation to operate in January 2005.\n\nCompliance and Identification of Contractor Facilities and Services\n\n        The CIO and Department program officials have made progress in identifying and\nensuring contractor facilities that support Department programs and services are\nadequately secure and meet FISMA, OMB policy, and NIST guidance. The Department\nis implementing a policy requiring all new contracts to adhere to FISMA guidelines.\nContracts already awarded will be reviewed, inventoried, and evaluated to verify FISMA\ncompliance. The Department estimates three years to develop the full universe of\ncontractor facilities and services, and to determine the compliance with established\ninformation security requirements.\n\nPlan of Action and Milestones Process\n\n       The Department made significant improvements in its POA&M process by\ndeveloping an automated tool, State Automated FISMA Reporting Environment\n(SAFIRE), to ensure accurate submissions of POA&Ms, create computer-based training\n\n\n\n                                            7\n\n\x0con how to use the automated tool, and establish a formal domestic training program for\nsystem managers and other stakeholders.\n\n        The Office of Information Assurance (IRM/IA) is the central point for collecting,\nanalyzing, managing, and reporting POA&Ms information to OMB and is responsible for\ncertifying and accrediting all systems. Last year OIG recommended the Department\ndevelop procedures to ensure that the POA&M process addresses IT security findings and\nrecommendations from external and internal reviews, and to inform regional bureaus and\noverseas posts on the responsibilities for remediating identified IT security vulnerabilities\nand submitting information to the Department. The Department developed SAFIRE,\nwhich serves as the central repository for POA&Ms data. IRM/IA has asked system\nowners to use the automated tool to report their POA&Ms. System owners5 create\nPOA&Ms when IT vulnerabilities are identified during the certification and accreditation\nprocess, annual self assessments, external and internal audits, evaluations, and\ninspections. OIG findings are also used to create a POA&M in SAFIRE.\n\n       In addition to the computer-based training on how to use SAFIRE, the\nDepartment increased awareness of stakeholders through workshops, individual bureau\nconsultations, monthly bureau meetings, as well as information contained on the IRM/IA\nweb-site and the POA&M process guide.\n\nPatch Management\n\n       The Department\xe2\x80\x99s patch management program has taken several steps to improve\noperations and customer service. An independent consultant reviewed the patch\nmanagement program and suggested improvements regarding deploying, automating test\nand evaluation, and upgrading the patch distribution tool. In addition, the Department\xe2\x80\x99s\nOffice of Enterprise Network Management has made the patch management process\nmore transparent by finalizing patch management standard operating procedures and a\nMicrosoft Systems Management Server guide. Finally, to promote awareness of the\nprogram, the Office of Enterprise Network Management has provided several patch\nmanagement briefings this year and ensured system administrator classes include patch\nmanagement training.\n\nConfiguration Management\n\n       OIG\xe2\x80\x99s comparison of the Department configuration guides to the NIST\nconfiguration guidance found the Department guidelines meet or exceed NIST\nrequirements. The Department\xe2\x80\x99s security configuration setting validation tool scans\nworkstations and servers to compare the operating system settings to the security\n\n\n\n5\n  5 Foreign Affairs Manual (FAM) 825 defines the system owner as the bureau designated senior\nexecutive who is responsible for the system. Abroad, the system owner is the charg\xc3\xa9, deputy chief of\nmission, consul general, or principal officer or equivalent.\n\n\n\n\n                                                   8\n\n\x0crequirements and produces a report on the configuration status of each workstation and\nserver.\n\nCyber Security Incident Response\n\n        The Department\xe2\x80\x99s cyber security incident response program is robust and\nefficient. There are basic policies and procedures in place and general awareness\ndepartment-wide of how and to whom to report cyber incidents. The Department\xe2\x80\x99s Cyber\nIncident Response Team is the central reporting point for computer security events and\nincidents on the Department\xe2\x80\x99s information systems. The Cyber Incident Response Team\neffectively coordinates with appropriate parties to ensure all security-related incidents are\ndetected, loss of data and/or resources is minimal, and all issues are resolved.\n\nAwareness and Training\n\n        The Department\xe2\x80\x99s IT security awareness and role-based training program\ncontinues to improve. The Department added file sharing policies to the current\ncurriculum in response to last year\xe2\x80\x99s OIG report. The Department also deployed and\nimplemented an on-line computer-based training application for all computer users to\nconduct their annual computer security awareness briefing.\n\n        The Department\xe2\x80\x99s information assurance classes provide basic IT security training\nfor eight roles. The classes are tailored for ISSOs, system administrators, managers,\nsenior-level managers, executives, regional security officers, and security engineering\nofficers.\n\nPreviously Identified Weaknesses Continue\n\nInadequate Inventory of IT Systems\n\n       The Department does not have a complete systems inventory that includes major\napplications, minor applications, and general support systems. Although 5 FAM 864\nrequires that all posts and bureaus enter custom-built applications into the Department\xe2\x80\x99s\napplications inventory system, not all bureaus and posts are aware of the applications\ninventory system and its purpose. For example, OIG identified over 20 applications\ncreated by three posts that should have been entered into the Department\xe2\x80\x99s applications\ninventory system. The Department cannot know the full universe of systems and\napplications until it ensures that all posts and bureaus enter their information into the\napplications inventory system.\n\n        The Department believed the full universe of applications and systems would be\nidentified as part of its site inspections overseas. During FY 2005, the regional computer\nsecurity officers visited 13 posts to perform an evaluation and verification review. The\nevaluation and verification process searches the posts\xe2\x80\x99 networks for unauthorized\nsoftware, but does not include providing guidance on entering locally approved software\napplications into Department\xe2\x80\x99s applications inventory system.\n\n\n                                             9\n\n\x0c        The Information Technology Change Control Board standard operating\nprocedures require that all applications be entered into the Department\xe2\x80\x99s applications\ninventory system prior to being added to the Department\xe2\x80\x99s baseline. The Department has\nnot included this requirement in the local change control board procedures to ensure that\nall applications installed on the Department\xe2\x80\x99s infrastructure are reported.\n\n       Recommendation 1: The Chief Information Officer should rewrite change\n       control board procedures to require local change control boards to enter all\n       application information into the Department\xe2\x80\x99s applications inventory system.\n\n        Department Response: \xe2\x80\x9cThe CIO agrees with the recommendation. The\nInformation Technology Asset Baseline (ITAB) partners will facilitate implementation.\nIn the process, we will consider adding additional IT assets, including the overseas\napplications, contractor systems, and sites into ITAB. The ITAB changes underway must\nbe completed before any other inventory types may be added. Because the asset\ninventory will expand significantly, the Department will follow a phased implementation\nprocess. The CIO is committed to resolving this recommendation and will provide a\nschedule with milestones by October 15.\xe2\x80\x9d\n\n       OIG Comments: OIG considers the recommendation resolved.\n\n       Last year\xe2\x80\x99s FISMA report recognized a large discrepancy between the number of\napplications and systems reported in the Department\xe2\x80\x99s applications inventory system and\nthe number reported in the Department\xe2\x80\x99s systems authorization process. OIG\nrecommended that the Department review the applications and systems reported in the\nDepartment\xe2\x80\x99s applications inventory system and determine those to be included in the\nDepartment\xe2\x80\x99s inventory. The Department agreed with the recommendation, which will\nremain open until OIG receives the Department\xe2\x80\x99s inventory after a final comparison with\nthe Department\xe2\x80\x99s applications inventory system.\n\nInadequate Identification of Contractor Facilities and Services\n\n        In last year\xe2\x80\x99s FISMA evaluation, OIG reported that the CIO should ensure that all\ncontractor services and facilities are identified and in accordance with established\ninformation security requirements. The Department has a plan to address this deficiency\nwithin three years, and OIG believes that the Department should incorporate this\nrequirement into the current corrective action plan for information systems security.\n\n       Recommendation 2: The Chief Information Officer should include the\n       requirement to develop a complete and accurate inventory of contractor systems\n       and facilities into the Department\xe2\x80\x99s current corrective action plan for information\n       security.\n\n      Department Response: \xe2\x80\x9cThe CIO agrees with the recommendation and will\nimplement an inventory process in line with still-evolving NIST standards. Because of\n\n\n\n                                           10\n\n\x0cunsettled policy and the overlapping and interwoven nature of contractor systems\ncontaining government information (e.g., contractors that deal with multiple government\nagencies), the Department\xe2\x80\x99s response and actions must be coordinated with other\nagencies and OMB. As noted in the OIG\xe2\x80\x99s recommendation, the Department\xe2\x80\x99s plan for\naddressing inventory, contract modifications and oversight is already being implemented.\nLanguage to address this issue from a contractual perspective is under development by\nrepresentatives from across the Department. Upon completion of the new version of\nITAB, central registration of contractor systems will be possible. See also response to\nrecommendation # 1. The CIO is committed to resolving this recommendation and will\nadd the requirement to the Federal Managers\xe2\x80\x99 Financial Integrity Act, Corrective Action\nPlan.\xe2\x80\x9d\n\n       OIG Comments: OIG considers the recommendation resolved.\n\nPlan of Action and Milestones Process Needs Improvement\n\n        All IT weaknesses are not included in the Department\xe2\x80\x99s POA&M process because\nthe definition of a system remains unclear. The term \xe2\x80\x9csystem\xe2\x80\x9d is used to describe major\napplications and general support systems in some Department processes; in other\nsituations, a local area network is considered a system. IRM/IA\xe2\x80\x99s website states that\nsystem owners are responsible for developing and maintaining POA&Ms for their\nsystems, recommending milestones and resource requirements, but because of these\nconflicting definitions, system owners are unsure of their responsibilities to report their\nPOA&Ms. Some system owners included their networks in SAFIRE and many did not.\nWithout consistent reporting of vulnerabilities, the Department cannot determine the\nmagnitude of the risk and the extent of the remediation activities necessary.\n\n       Recommendation 3: The Chief Information Officer should require that all\n       information systems policies and guidance use the same definition for the term\n       system.\n\n        Department Response: \xe2\x80\x9cThe CIO agrees with the recommendation. The official\nDepartment definition of the term \xe2\x80\x98System\xe2\x80\x99 is found in 5 FAM 614: System. A\ncombination of hardware, software, facilities, personnel, data, and services to\nperform a designated function with specified results to user(s). The 5 FAM will be\nrewritten to contain a separate section that consolidates all terms and definitions.\xe2\x80\x9d\n\n       OIG Comments: OIG considers the recommendation resolved.\n\n        Data received from SAFIRE is incomplete because system owners are not\nreporting all the required information. OIG was told that some system owners are\nreluctant to enter in needed data because the tool has not been accredited. OIG\ninspections overseas have found that system owners have limited knowledge about\nSAFIRE.\n\n\n\n\n                                            11\n\n\x0c        Recommendation 4: The Chief Information Officer should ensure that the State\n        Automated Federal Information Security Management Act Reporting\n        Environment application is certified and accredited.\n\n        Department Response: \xe2\x80\x9cThe CIO agrees with the recommendation. The office\nthat performs systems authorization is the owner of the application. Therefore, to avoid\nthe potential conflict of interest, the Department hired an independent certification agent.\nThe State Automated FISMA Reporting Environment (SAFIRE) application is in the\nAccreditation phase of the Systems Authorization Process. Remediation of the findings\nis complete and barring unforeseen circumstances, the CIO expects to authorize the\nsystem by the end of the fiscal year.\xe2\x80\x9d\n\n        OIG Comments: OIG considers the recommendation resolved.\n\n        Recommendation 5: The Chief Information Officer should require that all\n        system owners use the State Automated Federal Information Security\n        Management Act Reporting Environment application and receive the requisite\n        training.\n\n        Department Response: \xe2\x80\x9cThe CIO agrees with the recommendation. This\nactivity was not adequately funded in FY2005 due to budget constraints. The Department\nwill add more resources to the SAFIRE project to increase SAFIRE visibility and\nstrengthen the message that is already in place through additional training and advocacy.\nFurthermore, the SAFIRE team will continue to hold monthly meetings with the bureaus\nand continue to offer bureau assistance. In addition, presentations will be provided both\ndomestically and overseas at conferences.\xe2\x80\x9d\n\n        OIG Comments: OIG considers the recommendation resolved.\n\nPatch Management Needs Improvement\n\n        The Department needs to correct deficiencies in patch reporting, enforce\ncompliance with patch management,6 and increase awareness of patch management and\nits responsibilities for nontechnical managers such as chiefs of mission, deputy chiefs of\nmission, management officers, and executive directors. The Department adheres to the\nNIST guidelines concerning patch management, with the exception of training\nadministrators on vulnerability resources.\n\n         Last year, OIG found that patch management procedures were not being followed\nin six inspections and recommended that the CIO establish written guidance and\nprocedures on what actions will be taken if overseas posts do not install the patches the\n\n6\n  Patch management is an area of systems management that involves acquiring, testing, and installing\nmultiple patches to a computer system. Patch management tasks include: maintaining current knowledge of\navailable patches, deciding what patches are appropriate for particular systems, ensuring that patches are\ninstalled properly, testing systems after installation, and documenting all associated procedures, such as\nspecific configurations required.\n\n\n                                                   12\n\n\x0cDepartment releases. Despite these recommendations, patch management problems\nappear to have proliferated throughout the Department\xe2\x80\x99s posts. Twenty-one of 36 sites\ninspected were found to have patch management problems. For example, at 11 sites\nvisited, OIG found that automated systems failed to accurately report the status of\nsoftware security patch management thus providing an erroneous view of network\nvulnerabilities. OIG also found that not all required patches were installed in seven posts.\n\n       The monthly patch status report is an inaccurate representation of the\nDepartment\xe2\x80\x99s patch management status because the report does not include the ClassNet\nand the majority of domestic sites, as well as Microsoft Systems Management Server\n(SMS) inaccuracies that skew the results. Inaccurate reporting of workstations and\nincomplete distribution of patches remain a problem. SMS identifies the workstations\nand servers connected to the network and distributes the patches accordingly. Hardware,\nsoftware, or configuration errors can prevent SMS from recognizing all workstations on\nthe network. Local administrators must manually install patches on the workstations that\nSMS does not recognize. Last year OIG identified 11 posts where SMS inaccurately\nreported the patch management status to the Department. The Office of Enterprise\nNetwork Management plans to install SMS 2003 to eliminate this problem.\n\n        The Department does not verify or enforce patch management on ClassNet.\nClassNet has no patch distribution tool, so local administrators must manually install\npatches on each workstation. The Office of Enterprise Network Management tracks\ncompliance by e-mail. If local administrators fail to send the confirmation e-mail, the\npatch management group does not follow up to verify that the patches have been\ninstalled. This method leaves many workstations and servers potentially vulnerable to\nsoftware security flaws. The Office of Enterprise Network Management plans to\nautomate the patch installation and validation process this year.\n\n        Inadequate patch management continues to plague the Department and will\ncontinue to do so until patch management compliance is enforced. According to 5 FAM\n866, the Designated Approval Authority may disconnect any network that does not meet\nthe Department\xe2\x80\x99s patch management directives. OIG has no evidence of any post/bureau\nbeing disconnected from the Department\xe2\x80\x99s network because of patch noncompliance.\nWithout enforcement, posts that are not in compliance can continue operating which\nleaves the unclassified and classified networks open to operational problems and\nmalicious attacks.\n\n       Recommendation 6: The Chief Information Officer should disconnect networks\n       that do not comply with the Department\xe2\x80\x99s patch management policies.\n\n       Department Response: \xe2\x80\x9cThe CIO agrees with the recommendation. This is\nsupported by existing policy in 5 FAM 866.d that provides, \xe2\x80\x9cthe Designated Approval\nAuthority (DAA) may disconnect any system, LAN, or domain that does not comply with\nthe Department\xe2\x80\x99s Enterprise Patch Management Program\xe2\x80\x99s directives.\xe2\x80\x9d Furthermore, the\nDepartment must continue to balance acceptable risk against operational requirements for\ninformation and information systems services.\xe2\x80\x9d\n\n\n\n                                            13\n\n\x0cOIG Comments: OIG considers the recommendation resolved.\n\n        Nontechnical managers are not aware of the criticality of patch management.\nBecause 5 FAM 825 states the system owner is responsible for the system, nontechnical\nmanagers should have a basic awareness of patch management. The Department needs to\nensure that nontechnical managers understand their responsibilities as a system owner\nand how critical patch management is to the confidentiality, integrity, and availability of\ntheir network. Nontechnical managers should have a clear understanding of the patch\nmanagement report.\n\n        The Department does not provide guidance to local administrators on how and\nwhere they can obtain data to identify vulnerabilities and corrective measures including\npatches for software outside the core baseline. NIST special publication 800-40 states\nthat local administrators should be trained on identifying vulnerabilities and applicable\npatches. Providing local administrators with this information creates another line of\ndefense in the patch management process.\n\n       Recommendation 7: The Chief Information Officer should develop and\n       implement a process for local administrators on identifying vulnerabilities and\n       applicable patches for software not included in the core baseline as well as\n       identifying additional government resources.\n\n       Department Response: \xe2\x80\x9cThe CIO generally agrees with the recommendation,\nbut notes the even greater potential to reduce vulnerabilities by remotely monitoring\nnetworks and administering patches from off-site locations, thereby reducing the burden\non local administrators and improving overall network management. IRM senior\nmanagement will coordinate and develop a process for oversight and compliance for\nother hardware / software applications or systems. The Local Change Control Boards\n(CCBs) report local post patch management activity and approval of IT items to their IT\nCCB Voting Representatives and the IT CCB Change Manager. This reporting\nmechanism provides information to the Patch Management Team for tracking.\xe2\x80\x9d\n\n       OIG Comments: OIG considers the recommendation resolved.\n\nImprovements Needed in Addressing Information Security\n\nCertification and Accreditation Process \xe2\x80\x93 A Process in Flux\n\n    As the certification and accreditation process matures, needed improvements are\nidentified: acceptable risk, penetration testing, and the accuracy of certification and\naccreditation data. The evaluation and verification process can provide valuable\ninformation to the Department by determining the vulnerability specific posts present,\nremediating the risks identified, and developing mandatory documentation.\n\n\n\n\n                                            14\n\n\x0c        The certification and accreditation process does not fully identify the risk that\nindividual subcomponents or local area networks pose to the Department\xe2\x80\x99s infrastructure.\nThe Department certified and accredited two general support systems, OpenNet and\nClassNet, without determining all of the risks. OpenNet and ClassNet are distributed\nnetworks that make up a significant part of the Department\xe2\x80\x99s critical infrastructure.\nThese systems are used by approximately 70,000 personnel worldwide and support\nnumerous major and minor systems. The certification and accreditation packages for\nthese general support systems state that a large portion of risk remains unquantified\nbecause of lack of resources, immaturity of the certification and accreditation process,\nand time constraints. Both systems received approval for 18 months and will be\nrecertified in 2006.\n\n       Recommendation 8: The Chief Information Officer should require that a risk\n       assessment be conducted on all subcomponents or a representative sample prior to\n       reaccrediting the Department\xe2\x80\x99s unclassified and classified networks.\n\n       Department Response: \xe2\x80\x9cThe CIO agrees with the recommendation. The\nDepartment performed risk assessments on the major components of OpenNet and\nClassNet. For example, the Department performed a risk assessment of the software\nimage of workstations deployed overseas through the type accreditation of GITM-U and\nGITM-C. The systems are currently undergoing the initial phases of re-accreditation and\nwill undergo more rigorous testing and scrutiny than on the first pass.\xe2\x80\x9d\n\n       OIG Comments: OIG considers the recommendation resolved.\n\n        The current evaluation and verification process does not meet the intent of the\nsystem authorization process. Major deliverables that were to result from the site\ncertification process are not being produced such as security plans, contingency plans,\nand risk assessments. In accordance with the 2004 Cyber Security Roles and\nResponsibilities Matrix, DS conducts site verifications, which have replaced site\nauthorizations. In last year\xe2\x80\x99s report, OIG expressed concerns with the division of\nresponsibilities in the certification process between DS and IRM. OIG also believed that\nthe proposed division of responsibilities did not allow the CIO oversight of information\nsystem functions performed by DS personnel. In its response, the Department stated that\nthe shared CIO and DS approach would meet the Department\xe2\x80\x99s needs. OIG has found no\nevidence of the CIO setting performance requirements for the DS office that conducts\nsystem site evaluations and verifications.\n\n       Recommendation 9: The Chief Information Officer should provide information\n       security requirements that must be addressed during the regional computer\n       security officers\xe2\x80\x99 site evaluation and verification visits.\n\n        Department Response: \xe2\x80\x9cThe CIO agrees with the recommendation. As a matter\nof clarification, the report\xe2\x80\x99s text should reflect the fact that the 2004 Roles and\nResponsibilities Matrix \xe2\x80\x93 developed jointly by the CIO and Assistant Secretary for DS -\nestablished the Evaluation and Verification (E&V) program, and assigned responsibility\n\n\n\n                                           15\n\n\x0cfor this program to DS. The E&V program will help the Department maintain a\ncontinuous monitoring capability in accordance with NIST guidance and in keeping with\nthe Department\xe2\x80\x99s resource priorities as well as help support the Systems Authorization\nprograms under CIO oversight.\n\nWith regard to E&V oversight, it is also important to note that DS and IRM/IA staffs are\ncontinuing to work closely to develop reporting procedures that will support the CIO in\nmeeting FISMA responsibilities. Furthermore, DS and IRM/IA present joint quarterly\nbriefings to the CIO and Assistant Secretary for DS detailing the progress of the E&V\nprogram.\n\nDue to limited staff and funding availability to support the E&V process, the CISO\xe2\x80\x99s\noffice was limited to setting direction and collaborating with DS to provide high-level\nguidance and a framework for the E&V process. The CIO, through the CISO, is acting\non this recommendation by instituting a formal oversight role using performance\nmeasurements and metrics.\xe2\x80\x9d\n\n       OIG Comments: OIG considers the recommendation resolved.\n\n         The Department has not performed penetration testing on all systems with high\nsecurity levels. The Department has certified 42 systems that require such testing; 37\nhave not had penetration testing. The Department\xe2\x80\x99s System Authorization Plan states\nthat all major systems and general support systems with a high security certification level\nmust receive penetration testing. The CIO has delegated penetration testing to DS. In a\nmemorandum dated January 5, 2004, DS stated that it was not feasible to perform\npenetration testing for all systems going through the certification and accreditation\nprocess. DS further asserted that penetration testing is labor-intensive, time-consuming,\nexpensive, and potentially dangerous to an organization\xe2\x80\x99s network. DS recommended\nthat the Department limit penetration testing to general support systems that support the\nmajor and minor applications and a small number of critical systems. In August 2005,\nthe CIO provided DS a list of applications that must have penetration testing. The\nDepartment\xe2\x80\x99s overseas financial management feeder system has been certified for only\n18 months rather than three years, because of no penetration testing.\n\n       Recommendation 10: The Chief Information Officer should enforce the\n       requirement for penetration testing as part of the certification and accreditation\n       process.\n\n        Department Response: \xe2\x80\x9cThe CIO agrees with the recommendation. Recently,\nNIST informed the Department that it intends to provide clarification on how to more\neffectively integrate penetration-test results of General Support Systems into the\nauthorization of Major Applications. The formal outcome of NIST\xe2\x80\x99s guidance will\nprovide the Department with critical information necessary to determine the mechanics,\nperiodicity and linkage of penetration testing results into system authorization activities.\nFurther, Department draft policy will be modified upon receipt of NIST\xe2\x80\x99s clarification.\n\n\n\n\n                                            16\n\n\x0cThe expected NIST clarification does not change the penetration testing requirements that\nthe CIO identified and provided to the Bureau of Diplomatic Security. The testing and\nthe periodicity specified in the CIO\xe2\x80\x99s directive is considered essential to the continued\nsecurity health of the Department\xe2\x80\x99s networks and critical applications. The results of DS\npenetration testing will be reviewed as part of future systems authorization activities.\xe2\x80\x9d\n\n       OIG Comments: OIG considers the recommendation resolved.\n\n        The certification and accreditation data in the Department\xe2\x80\x99s applications\ninventory system, and POA&Ms database, SAFIRE, is inaccurate. As of August 11,\n2005, the Department had certified and accredited 32 applications and general support\nsystems this fiscal year. In the Department\xe2\x80\x99s applications inventory system, there were\n10 records with no contingency plan data, 17 records with no system security plan data,\nand six records were not entered. Of the 19 records in SAFIRE, OIG identified 15 with\nno certification and accreditation data, 15 with no contingency plan data, and 14 with no\nsystem security plan data. All certification and accreditation data in these databases\nshould be consistent.\n\n       Recommendation 11: The Chief Information Officer should verify the accuracy\n       of certification and accreditation information that is input into the information\n       technology application baseline and the State Automated Federal Information\n       Security Management Act Reporting Environment databases.\n\n        Department Response: \xe2\x80\x9cThe CIO agrees with the recommendation. The\nsolution is the development and implementation of the data bridge between the\nInformation Technology Asset Baseline (ITAB) and the State Automated FISMA\nReporting Environment (SAFIRE). This bridge will align the data within the two tools\nand allow for easier and more accurate validation and verification, as well as offer a\ncomplete inventory of systems for the Department including C&A information associated\nwith them. SAFIRE and ITAB will be feeding information to each other by 2nd quarter\n2006.\xe2\x80\x9d\n\n        OIG Comments: OIG considers the recommendation resolved. During this\nevaluation, the consistency of the data in the applications has improved significantly. As\nof September 21, 2005, in the Department\xe2\x80\x99s applications inventory system, there were\nfour records with no certification and accreditation data, seven records with no\ncontingency plan data, seven records with no system security plan data, and five records\nwere not entered. Of the 22 records in SAFIRE, OIG identified two with no certification\nand accreditation data, two with no contingency plan data, and two with no system\nsecurity plan data.\n\n        As discussed above, other weaknesses have surfaced in the Department\xe2\x80\x99s\ncertification and accreditation process. The Department has not determined the security\nimpact level of two-thirds of the systems in OIG\xe2\x80\x99s sample. The Department also has not\nestablished a process to ensure that security controls and contingency plans are tested\n\n\n\n\n                                            17\n\n\x0cannually. Finally, the primary ISSO for a major application had not received the required\ninformation systems security training.\n\nConfiguration Management Needs To Be Worldwide\n\n        The Department does not require all administrators to comply with configuration\nmanagement procedures. Nor does the Department have a process in place to ensure that\nthe procedures are being followed. There is no reporting requirement for domestic\nnetworks so the Department does not know if all local administrators are following the\nrequired security configuration procedures. In May 2004, the Department required\noverseas local administrators to upload quarterly the verification tool results for DS\nanalysis. OIG found that some posts did not conduct quarterly uploads or did not\ninclude a full scan of their unclassified networks. OIG believes that the Department needs\nto require all local administrators to provide quarterly scan results to DS. Furthermore,\nOIG found that the Department does not have processes in place to ensure that Oracle\ndatabase and Cisco Internet Operating System security configuration procedures are\nbeing implemented.\n\n       Not following department configuration procedures puts the Department at an\nunnecessary risk. The Cyber Incident Response Team reports from November 2004 to\nJune 2005 showed 22 instances of users on OpenNet connecting to remote workstations\noutside of the Department, such as their home or school computer. As the current\nMicrosoft Windows XP configuration guidelines require that the remote services be\ndisabled, these 22 events show that local administrators have not followed the required\nconfiguration security guidelines. A connection to a remote machine can bypass\nperimeter security processes and puts the Department at risk.\n\n       Recommendation 12: The Chief Information Officer should implement a\n       process that ensures all local administrators comply with the Department\xe2\x80\x99s\n       security configuration guidelines, which includes requiring domestic system\n       administrators to provide quarterly security configuration scan results.\n\n        Department Response: \xe2\x80\x9cThe CIO agrees with the recommendation, however, it\nshould be noted except that the process may be done remotely or on-site. The Department\nis developing a process to improve compliance with security configuration guidelines.\nImproved reports include cumulative metrics used to facilitate CISO E&V process\noversight and input into site visit selection. The ISSO program is supporting E&V by\nencouraging configuration scans and scheduling scanning tool training in the ISSO\ncourse.\xe2\x80\x9d\n\n       OIG Comments: OIG considers the recommendation resolved.\n\nRoles and Responsibilities for Information Security Need To Be Made Clearer\n\n      The integration of the cyber security roles and responsibilities between DS and\nIRM has not always been as effective as possible. Friction exists because the current\n\n\n\n                                           18\n\n\x0cguidance does not clearly define functions, leaves room for misinterpretation of\nresponsibilities, and causes omissions or duplications in several key information security\nactivities.\n\n      In an April 2005 memorandum, the CIO assigned to the CISO, who is the director\nof IRM/IA, the following responsibilities:\n\n   \xe2\x80\xa2 \t developing and maintaining an agency-wide information security program;\n   \xe2\x80\xa2 \t coordinating the design and implementation of processes and practices that assess\n       and quantify risks;\n   \xe2\x80\xa2 \t developing and maintaining information security policies, procedures, and control\n       techniques to address all applicable information security requirements;\n   \xe2\x80\xa2 \t training and overseeing personnel with significant responsibilities and providing\n       liaison with ISSOs domestically and overseas;\n   \xe2\x80\xa2 \t advising and assisting Department senior management with their information\n       security responsibilities; and\n   \xe2\x80\xa2 \t reporting Department compliance with federal mandates to Department \n\n       leadership, OMB, and Congress. \n\n\n         IRM/IA has not been fully integrated into many of the Department\xe2\x80\x99s ongoing IT\ninitiatives \xe2\x80\x93 especially those that are operational such as standing up the embassy in\nBaghdad. IRM/IA was excluded from the decision process where risks were assessed\nand waiver decisions made to facilitate IT processing in Baghdad. Also, during a recent\nvirus outbreak, the August 26, 2005 daily cyber security briefing report stated that\nmitigation and remediation actions continue between DS and its IRM security partners,\nwhich did not include IRM/IA. These actions by DS and its IRM security partners\nbypassed the coordinating and advising responsibilities of the CISO.\n\n       Recommendation 13: The Chief Information Officer should require that the\n       Chief Information Security Officer be included in all operational decisions made\n       in Washington that increase the risk to the Department\xe2\x80\x99s information security\n       posture.\n\n        Department Response: \xe2\x80\x9cThe CIO agrees with the recommendation. To address\nthe issues cited the CIO relies on the CISO in ensuring the security of the Department\'s\ninformation and information systems. During FY 2005, DS and IRM/IA staff in\npartnership with IRM/OPS shared information to resolve operational issues and address\nemerging policy challenges. The CIO will formally task all operational elements and all\nDepartment-wide security elements to include the CISO in all operational and policy\ndecisions that may significantly impact the risk to the Department\xe2\x80\x99s information security\nposture.\n\nWe note that DS has continued to carry out its operational security duties in accordance\nwith the Omnibus Diplomatic Security Act. These separate, but complementary, security\nresponsibilities were documented and approved by the Under Secretary for Management\nin 2003 and subsequently updated in 2004.\xe2\x80\x9d\n\n\n                                            19\n\n\x0c          OIG Comments: OIG considers this recommendation resolved.\n\n        The conflicting information in the FAM and the foreign affairs handbook (FAH)\nregarding each office and individual\xe2\x80\x99s role in cyber security further exacerbates a difficult\nsituation. In last year\xe2\x80\x99s FISMA evaluation, OIG found that the Department had not\nprovided clear guidance to posts including roles and responsibilities for meeting\ninformation security management requirements. OIG recommended that the CIO provide\nguidance and direct the appropriate bureaus to revise the relevant FAM and FAH\nchapters or sections annually, or sooner if significant changes occur. The cyber security\nroles and responsibilities matrix, which the Under Secretary for Management approved in\nAugust 2004, does not address any of the overseas or functional bureau participants in\nthis process. The CIO has included updating the FAM and FAH to reflect the\nDepartment\xe2\x80\x99s information security policies and standards in the IRM corrective action\nplan with a milestone date of August 31, 2006, to complete this action.\n\n(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)\n      (b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)\n(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)\n(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)\n(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)\n(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)\n(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)\n(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)\n(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)\n            (b) (2)\n\n(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)\n            (b) (2)\n\n\n\n(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)\n(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)\n(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)\n      (b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)\n(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)\n(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)\n(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)\n(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)\n(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)\n(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)\n(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)\n(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)\n(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)\n(b) (2)(b) (2)(b) (2)(b) (2)\n          Recommendation 14: (b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)\n          (b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)\n(b) (2)\n    (b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)\n(b) (2)\n\n\n\n\n                                               20\n\n\x0c      Department Response: \xe2\x80\x9cThe CIO agrees with the recommendation. The\nCISO\xe2\x80\x99s staff is working with the Bureau of Human Resources to professionalize the\nISSO program. The initiative includes establishing mandatory minimum requirements for\nISSOs by end of the calendar year.\xe2\x80\x9d\n\n        OIG Comments: OIG considers this recommendation resolved.\n\n        Although much of the responsibility for securing information and IT system\nassets has been placed with the ISSO, in most instances these duties were assigned on a\ncollateral basis and were not the primary duties of the individual designated as the ISSO.\nThe collateral nature of these assignments reduces the time available to perform ISSO\nduties because the incumbents view them as secondary. For example, at four sites OIG\ninspected, the ISSOs or alternate ISSOs performed other responsibilities in conjunction\nwith their primary duties and were overwhelmed by both responsibilities.\n\n        At nine sites visited by OIG, there was inadequate segregation between\ninformation management and information security duties and responsibilities. This lack\nof separation of duties led to several weaknesses in the implementation of the\nDepartment\xe2\x80\x99s information systems security program. These weaknesses included\ncompromised access to classified and sensitive but unclassified information and\ninadequate reviews of user directories, system audit logs, and network reviews for\ninappropriate or excessive personal use of government equipment. Furthermore, some\nISSOs did not review systems operations and systems maintenance logs and conduct\nquarterly network scans. At another site, OIG observed difficulties in revoking access\nprivileges for personnel leaving the mission and a high number of staff with\nadministrative rights to unclassified information systems.\n\nAwareness and Training Programs Need Additional Work\n\n        Although all Department network users are required to complete annual security\nawareness training to ensure the confidentiality, integrity, and availability of information,\nthere are no procedures in place to ensure a user completes the awareness training\nannually. The role-based IT security training program needs to include the increasing\nresponsibilities of employees with significant IT security responsibilities.\n\n       All Department employees have not completed the annual awareness training\nbecause there is no enforcement method such as requiring training prior to receiving or\nkeeping logon access. The Department has over 70,0008 employees, which includes full-\ntime employees, Foreign Service nationals, and domestic contractors. OIG found that\n46,430 computer users have valid certificates, 647 have incomplete certificates, and\n23,567 have expired certificates as of August 16, 2005. Incomplete and expired\n\n8\n  The number of employees is based on the Bureau of Human Resources number of 57,062 employees\noverseas and domestic as of June 30, 2005, and 13,871 active contractor badges reported by DS as of\nAugust 23, 2005. This number includes an estimated number of domestic contractors and thus is different\nfrom the number reported in last year\xe2\x80\x99s FISMA report.\n\n\n                                                  21\n\n\x0ccertificates may be for users who have left the Department or have not completed the on-\nline test to satisfy the training requirement. Regardless, only 46,430 users have up-to-\ndate awareness training, which is less than 70 percent of the approximate number of\nDepartment employees.\n\n       Recommendation 15: The Chief Information Officer should develop and\n       implement procedures for enforcing the annual computer security awareness\n       training requirement.\n\n        Department Response: \xe2\x80\x9cThe CIO agrees with the recommendation. In FY2005,\nthe Department implemented procedures that both encourage system users to take the\nannual computer security awareness training and provides for enforcement. All parties\ndesiring access to the Department\'s primary network, OpenNet, must first complete an\nonline training session and test. An annual training session and test is required for\ncontinued system access. Enforcement of this policy is delegated to local ISSOs and\neffectiveness will be monitored by the CISO\xe2\x80\x99s office. Should enforcement prove\ninsufficient, the CISO will develop mitigating controls to improve performance.\xe2\x80\x9d\n\n       OIG Comment: OIG considers this recommendation resolved.\n\n        The Department has not fully identified which employees have significant IT\nsecurity responsibilities. NIST 800-16 identifies 26 functions to be considered when\ndeveloping an IT security training program including software developers, project\nmanagers, and contracting officers. The Department was planning to create a course for\nsoftware developers by FY 2005. This information assurance course and curriculum for\nsoftware developers is still in the preliminary approval stage.\n\n       Recommendation 16: The Chief Information Officer should identify which\n       employees need training for key information security functions and design and\n       deliver the necessary role-based training.\n\n        Department Response: \xe2\x80\x9cThe CIO agrees with the recommendation with\ncomment. Since 2001, the Department has taken steps to identify employees with\nsignificant IT security responsibilities. These efforts are now documented in the\nInformation Assurance Training Plan. This plan identifies required security training for\nspecific information assurance roles relevant to the Department. It is a living document\nand is reviewed each year to evaluate resources, priorities, and timelines. As additional\nroles are added, additional resources will be required to design and deliver additional\nrole-based training.\n\nAlso, the report should note that the Department has, in accordance with NIST SP 800-\n16, identified 13 specific roles, the target audience for those roles, and the training\ncourses available to meet the IA training requirements. This information is documented\nin the \xe2\x80\x9cFY05 Information Assurance Training Plan.\xe2\x80\x9d Moreover, many of the 26 roles in\nSP 800-16 have been incorporated into the Department\xe2\x80\x99s set of 13 specific roles. As a\nresult, resources are focused on meeting the largest percentage of significant employees\n\n\n\n                                            22\n\n\x0cwith IT security responsibilities, specifically the Information Systems Security Officers\n(ISSOs), Technical Security Personnel at three levels, IT Managers, Senior-level\nManagers, Executives, Special Agents, Security Engineers, and OIG Auditors.\xe2\x80\x9d\n\n       OIG Comment: OIG reviewed the \xe2\x80\x9cFY 05 Information Assurance Training\nPlan\xe2\x80\x9d and considers this recommendation closed upon issuance of this report.\n\nPrivacy Act Requirements Are Not Addressed\n\n        Additional opportunities exist to improve the Department\xe2\x80\x99s information privacy\nactivities. Specifically, OIG found weaknesses in the Privacy Act implementation in the\ncertification and accreditation of systems, inadequate communication on privacy act\ntraining for new employees, and lack of information privacy act awareness throughout\nthe Department.\n\n        The Department is not consistently capturing information system privacy act\nrequirements in the Department\xe2\x80\x99s information technology applications baseline, the\ncentral database of all Department systems. Section 208 of the E-Government Act\n(Public Law 107-347, 44 U.S.C. Ch 36) requires that systems that collect, maintain, or\ndisseminate information in identifiable form have privacy impact assessments when\ndeveloping or procuring IT systems or projects. These assessments determine whether an\nIT system has adequate built-in protections to ensure the privacy and handling of\npersonal information. Furthermore, the privacy impact assessment evaluates the risks\nand effects of collecting, maintaining, and disseminating electronic personal information.\nPrivacy impact assessments are updated as necessary when a system change creates new\nprivacy risks or when new uses of an existing IT system significantly change how\ninformation in identifiable form is managed in the system. Privacy impact assessment\ninformation is not mandatory in the Department\xe2\x80\x99s applications inventory system. OIG\nfound many web-based applications that request and capture users\xe2\x80\x99 social security\nnumbers, which have not been entered into the Department\xe2\x80\x99s applications inventory\nsystem. Therefore, the Department does not have an accurate representation of all\napplications that contain Privacy Act information and the resultant controls that must be\nimplemented.\n\n       Recommendation 17: The Chief Information Officer should design and\n       implement procedures for ensuring that the privacy impact assessment section in\n       the Department\xe2\x80\x99s application inventory system is completed for all applications.\n\n        Department Response: \xe2\x80\x9cThe CIO agrees with the recommendation. The\nDepartment\xe2\x80\x99s new registration process for Information Technology Asset Baseline\n(ITAB) will incorporate mandatory privacy reporting into the Department\xe2\x80\x99s application\nregistration process. Specifically, system owners will be required to file all appropriate\ndocumentation with the Bureau of Administration\xe2\x80\x99s Senior Agency Official for Privacy\nfor any information category that falls within the scope of a privacy impact assessment.\nThe system authorization process serves as an additional verification that the applicable\n\n\n\n\n                                            23\n\n\x0cdocumentation is both complete and accurate and the commensurate security controls are\ntested.\xe2\x80\x9d\n\n       OIG Comment: OIG considers this recommendation resolved.\n\n        The Department does not provide standard Privacy Act training nor does it have a\nPrivacy Act awareness campaign for the Department workforce. OMB M-05-08 states\nthe senior agency official shall ensure the agency\xe2\x80\x99s employees and contractors receive\nappropriate training and education programs regarding the information privacy laws,\nregulations, policies, and procedures that govern the agency\xe2\x80\x99s handling of personal\ninformation.\n\n        The Department\xe2\x80\x99s privacy office assumed a Privacy Act overview is conducted\nduring the orientation session; however, OIG found such information is not provided\nduring the DS review of the protection of classified information. The Department\nconducts weekly information management officer training that covers the Privacy Act but\nthere is little to no information privacy awareness training for the remainder of the\nDepartment.\n\n       The Department has not developed guidance on Privacy Act information issues\nnor on how or where to obtain Departmental Privacy Act assistance. The Department\nNotice on employee roles and responsibilities when dealing with privacy information is\ndated September 1993.\n\n       Recommendation 18: The Assistant Secretary for Administration (Senior\n       Agency Official for Privacy), in coordination with the CIO and the Office of the\n       Legal Adviser, should update guidance on employee Privacy Act responsibilities.\n\n        Department Response: \xe2\x80\x9cThe Assistant Secretary for Administration (Senior\nAgency Official for Privacy) agrees (and the CIO concurs) with the recommendation,\nwhich should be redirected to the Assistant Secretary for Administration. Numerous\nefforts are underway that address the need to raise employee awareness of protecting\nprivacy information. A Department-wide training program for employees and\ncontractors is under development. Recently, the Office of Information Programs and\nServices delivered a three-day course to those employees responsible for processing\nFreedom of Information Act and Privacy Act requests from the public.\n\nA Department notice informing employees of their roles and responsibilities with regard\nto the Privacy Act and handling of personal information is in clearance.\n\nThe Department set-up an e-mail address, Privacy-DL@state.gov mailto:Privacy-\nDL@state.gov>, for employees to ask privacy-related questions.\n\nThe Department has trained IT systems managers on completing Privacy Impact\nAssessments required by Section 208, Privacy Provisions of the E-Government of 2002.\n\n\n\n\n                                           24\n\n\x0cPart of that training included detailed guidance on their responsibilities under the Privacy\nAct and the handling of personal information.\xe2\x80\x9d\n\n       OIG Comment: OIG considers this recommendation resolved.\n\n\nAdditional Information Security Management Deficiencies Identified by OIG\nInspections\n\n       OIG conducted information security inspections at 36 sites during FY 2005. OIG\nfound numerous issues that should be addressed by the Department to ensure effective\nimplementation of information security at sites. Besides patch management and ISSO\nprogram deficiencies described earlier, several sites lacked required contingency plans\nand documentation, inappropriate material was downloaded to post servers and users\xe2\x80\x99\ncomputers, and the Department policy regarding inappropriate use of government\nequipment was not being followed. The details of these deficiencies and\nrecommendations have been addressed in individual inspection reports.\n\n       Patch Management\n\n        Flaws are identified in software in use that leaves it vulnerable to outside sources\nof disruption. Patches are released to fix these flaws, protecting software from such\nvulnerabilities, and are an integral part of information systems security. Patches are\nnecessary to protect software from intrusion or attack. A lack of up-to-date patches\nplaces not only embassies but also the entire Department\xe2\x80\x99s network at risk.\n\n       Contingency Planning\n\n        OIG found that several overseas posts do not have the required contingency plans\nfor their respective embassies. To assist Department compliance with these documents,\nIRM has comprehensive automated templates for developing system specific contingency\nplans for classified and unclassified information technology systems.\n\n       Inappropriate Material on Networks\n\n        OIG found several instances of inappropriate material on embassy networks. For\nexample, nine sites had inappropriate material on the servers that included nonwork\nrelated video and audio files, prohibited software. As a result, systems could be\nvulnerable to viruses, which would greatly reduce the productivity and compromise\nsystem security.\n\n\n\n\n                                             25\n\n\x0cRecommendations\n\nRecommendation 1: The Chief Information Officer should rewrite change control board\nprocedures to require local change control boards to enter all application information into\nthe Department\xe2\x80\x99s applications inventory system.\n\nRecommendation 2: The Chief Information Officer should include the requirement to\ndevelop a complete and accurate inventory of contractor systems and facilities into the\nDepartment\xe2\x80\x99s current corrective action plan for information security.\n\nRecommendation 3: The Chief Information Officer should require that all information\nsystems policies and guidance use the same definition for the term system.\n\nRecommendation 4: The Chief Information Officer should ensure that the State\nAutomated Federal Information Security Management Act Reporting Environment\napplication is certified and accredited.\n\nRecommendation 5: The Chief Information Officer should require that all system\nowners use the State Automated Federal Information Security Management Act\nReporting Environment application and receive the requisite training.\n\nRecommendation 6: The Chief Information Officer should disconnect networks that do\nnot comply with the Department\xe2\x80\x99s patch management policies.\n\nRecommendation 7: The Chief Information Officer should develop and implement a\nprocess for local administrators on identifying vulnerabilities and applicable patches for\nsoftware not included in the core baseline as well as identifying additional government\nresources.\n\nRecommendation 8: The Chief Information Officer should require that a risk\nassessment be conducted on all subcomponents or a representative sample prior to\nreaccrediting the Department\xe2\x80\x99s unclassified and classified networks.\n\nRecommendation 9: The Chief Information Officer should provide information security\nrequirements that must be addressed during the regional computer security officers\xe2\x80\x99 site\nevaluation and verification visits.\n\nRecommendation 10: The Chief Information Officer should enforce the requirement for\npenetration testing as part of the certification and accreditation process.\n\nRecommendation 11: The Chief Information Officer should verify the accuracy of\ncertification and accreditation information that is input into the information technology\napplication baseline and the State Automated Federal Information Security Management\nAct Reporting Environment databases.\n\n\n\n\n                                            26\n\n\x0cRecommendation 12: The Chief Information Officer should implement a process that\nensures all local administrators comply with the Department\xe2\x80\x99s security configuration\nguidelines, which includes requiring domestic system administrators to provide quarterly\nsecurity configuration scan results.\n\nRecommendation 13: The Chief Information Officer should require that the Chief\nInformation Security Officer be included in all operational decisions made in Washington\nthat increase the risk to the Department\xe2\x80\x99s information security posture.\n\nRecommendation 14: (b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)\n(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)\nRecommendation 15: The Chief Information Officer should develop and implement\nprocedures for enforcing the annual computer security awareness training requirement.\n\nRecommendation 16: The Chief Information Officer should identify which employees\nneed training for key information security functions and design and deliver the necessary\nrole-based training.\n\nRecommendation 17: The Chief Information Officer should design and implement\nprocedures for ensuring that the privacy impact assessment section in the Department\xe2\x80\x99s\napplication inventory system is completed for all applications.\n\nRecommendation 18: The Assistant Secretary for Administration (Senior Agency\nOfficial for Privacy), in coordination with the CIO and the Office of the Legal Adviser,\nshould update guidance on employee Privacy Act responsibilities.\n\n\n\n\n                                            27\n\n\x0c                          Abbreviations\n\n\nACS          American Citizens Services\nBTKBE        Baseline Tool Kit Back End\nCA           Bureau of Consular Affairs\nCIO          Chief Information Officer\nCISO         Chief Information Security Officer\nClassNet     Classified network\nDepartment   Department of State\nDS           Bureau of Diplomatic Security\nFAH          Foreign Affairs Handbook\nFAM          Foreign Affairs Manual\nFIPS         Federal Information Processing Standard\nFISMA        Federal Information Security Management Act\nIRM          Bureau of Information Resource Management\nIRM/IA       Office of Information Assurance\nISSO         Information systems security officer\nIT           Information technology\nNIST         National Institute of Standards and Technology\nOIG          Office of Inspector General\nOMB          Office of Management and Budget\nOpenNet      Unclassified network\nPA           Bureau of Public Affairs\nPACE         Public Affairs Communicating Electronically\nPLOTS        Passport Lookout Tracking System\nPOA&M        Plan of action and milestones\nSAFIRE       State Automated FISMA Reporting Environment\nSMS          System Management Server\nWebgram      Telegram Web Portal\n\n\n\n\n                                28\n\n\x0c                                                                              Appendix A\n\n                      Objectives, Scope, and Methodology\n\n        The objective of this review was to assess the overall effectiveness of the\nDepartment\xe2\x80\x99s information security program. Specifically, the review included evaluating\nthe Department\xe2\x80\x99s information security roles and responsibilities, configuration\nmanagement, cyber security incident reporting policies, information security awareness\nand training, certification and accreditation, and system inventory. Further, the review\nincluded how the agency implements patch management, the role of the Privacy Act\nofficial in IT security, and contractor systems oversight.\n\n        To meet its review objectives, OIG first researched U.S. laws and federal\nguidance to identify relevant criteria for implementing and managing information\nsecurity programs. OIG then reviewed previous reports that evaluate the Department\xe2\x80\x99s\ninformation security program to identify previous issues and follow up on past\nrecommendations. OIG also reviewed documents provided by Department officials,\nincluding but not limited to, corrective action plans, standard operating procedures, and\nprocess guides.\n         OIG met with officials from DS and IRM to discuss the Department\xe2\x80\x99s procedures\nfor granting approval and providing oversight to contractor services, inventory, and\nfacilities; and implementing and managing information security awareness and training.\nOIG also attended working group meetings regularly with IRM/IA officials to obtain\nnecessary information for completing the OMB FISMA report and OIG independent\nevaluation report. OIG also selected a subjective sample of the Department\xe2\x80\x99s systems to\nevaluate the certification and accreditation process and the application of its security\nconfiguration template.\n        OIG\xe2\x80\x99s Information Technology Office performed this evaluation from June 2005\nthrough September 2005. Contributors to this report were Mary Heard, Jennifer Noisette,\nMichelle Wood, Olukemi Adebiyi, and Jonathan Tull. Comments or questions about the\nreport can be directed to Ms. Mary Heard at Heardm@state.gov on 703-284-2656 or\nJennifer Noisette at Noisettejm @state.gov on 703-284-2641.\n\n\n\n\n                                            29\n\n\x0c                                                                                     Appendix B\n\n                        Department Response\n\n\n                                                lnilt\'ll Slnh\xc2\xb7._ f)"l\'urlllWnl "f SIll\'"\n\n\n\n\n                                                  September 22, 2005\n\n\nUNCLASSIFIED\n\nINFORMATION MEMO FOR INSPECTOR GENERAL KRONGARD-OIG\n\nFROM,         IRM-JayN.   ~;:~g\nSUBJECT: Depanmenl of State Response 10 the GIG Repon entitled Review 0/\n         Information Security Program at the Department a/State.\n\n      I appreciate the opportunity to review and comment on the memorandum\nrepon, Review a/the In/onnation Security Program at the Department a/State.\n1T\xc2\xb7I\xc2\xb70509. Please find attached the Depanment\'s response to the recommendations\nprovided in the memorandum repon.\n\n\nAttachment:\n As staled.\n\n\n\n\n                               UNCLASSIFIED\n\x0c                                              Appendix B\n\n                        Department Response\n\n\n                              UNCLASSIFIED\n                                  \xc2\xb72-\n\nDrafted by: IRM/IA: E Caffrey\n            09122/2005 ext. 2-2424\nClearances:\n      AlRPS - L. Lohman\n      DS/SI ~ D. Reid\n      IRM/BPC - C. Liu\n      IRMlEX - T. Williamson\n      IRM/QP$ - S. Musser\n      IRMIIA - J.S. Norris\n\n\n\n\n                              UNCLASSIFIED\n\x0c                                                                                                  Appendix B\n\n                               Department Response\n\n\n\n                               Dqilrtmtal of Stile RtSpo0$e\n                                           to tbe\n                            OIG MemoriDdum Rtport IT-1-0509\n           Rtview of lbe IDformarioD Security Prognlm II tbe DePlrtJMll of Slate\n\nRecommeadltioa I: The Chieflnformation Offieer should rewrile change conllOl board\nprocedures 10 require local change conlIOl board5 10 enttt all application infomlltion inlO the\nDepartmenl\'s applications inventory system.\n\nThe CIO agrees with the recommendation. The Information Technology Asset Baseline (ITAB)\npartners will facililate implementation. In the process. we will consider adding additional IT\nU$el$, including the overseas applications, contractor systems, and 5ites into ITAB. The ITAS\nchanges WKIerway must be completed before any other inventory 1)l)CS mlY be added. Because\nthe wei invtnlOl\'y will expand signifICantly, the Department will follow I phased\nimplementation process. The CIQ is committed to resolving this recommendation and will\nprovide a schedule with milestones by OcIOber 1S.\n\nRecommendation 2: The Chief Information Offiett should include the requirement to develop\na complete and acx:urate inventory of contraclOr s)\'Stems and facililies inlO the Department\'s\ncurrent comx:live action plan for information s)\'Stems security.\n\nThe CIO agrees with the recommendation and will implement an inventory process in line with\nstill-eVOlving NIST standards. Because of unsettled policy and the overlapping and interwoven\nnature ofcontnlCtor Systems containing government informalion (e.g., contractors that deal with\nmultiple government agencies), the Department\'s response and actions musl be coordinated with\notheT agencies and OMB. As noted in the OIG\'s recommendation, the Department\'s plan for\naddressing inventory, contract modifications and oversight is already being implemented.\nLanguage to address this issue from a contractual perspective is under development by\nrepresentatives from ilCroSS the Departmenl. Upon completion of the new version of ITAB,\ncentral registration ofcontractor systems will be possible. Set alSQ response to recommendation\n# I. The CIO is committed to resolving this recommendation and will add the requirement to\nthe Federal Managers\' Financial Integrity Act, Corrective Action Plan.\n\nRecommendation 3: The Chiefinfonnation Officer should requirt that all infonnation systems\npolicies and guidance use the same definition for the tenn system.\n\nThe CIO agrees with the recommendation. The offieial Department definition of the term\n"System" is found in S FAM 614: Syslem. A comblnallon of hardwlrt, software, flcllities,\npersonnel, dala, Ind serviees to perform I designated funclloll wilb speclned results to\nuser(s). The S FAM will be rewritten to contain a separate section that consolidates all terms and\ndefinitions.\n\nRecommeadllion 4: The Chief Infonnation Officer should ensure that the State Automated\nFederal Information Security Management ACI Reporting Environment application is cerlified\nand aceredited.\n\x0c                                                                                                 Appendix B\n\n                               Department Response\n\n\n\nThe CIO agrees .....ith the recommendation. The office thai performs systems authorization is the\nowner ofthe application. 1llerefore, to avoid the poIential conflict ofinleresl, the Depanment\nhired an independent certification agent The Swe Automated FlSMA Reporting Environment\n(SAFIRE) application is in the Accrediwion phase ofthe Systems Authorization\nProcess. Remediation ofthe findings is complete and barring unforeseen circumstances, the CIO\nexpects to authorize the system by the end of the fiscal year.\n\nRK\'Ommctldatioa.5: The Chiefln(ormation Officer should require that all system ownen use\nthe Swe Automated Federallnfonnation Security Management Act Reponing Environment\napplk.ation and receive the requisite rraining.\n\nThe CIO agrees with the recommendation. This activity was not adequately funded in FY200S\nd~ to budget constraints. The Department will ..d more resources to the SAFlRE project to\nincrease SAFIRE visibility and strengthen the message that is .lready in place Uu\'ough additional\ntnUning and advocacy. Furthermore,the SAFIRE tearn will continue to bold monthly meetings\nwith the bureaus and continue to ofTer bureau assistance. In addition., presentations will be\nprovided both domestically and overseas at conferences.\n\nRecommetld.t1otl 6: The Chieflnfonnation Officer should disconnect networks th.t do not\ncomply with the Department\'s patch management policies.\n\nThe CIO agrees with the recommendation. This is supported by exisling policy in S FAM 866.d\nthat provides, "the Designated Approval Authority (OAA) may disconnect any system, LAN, or\ndomain that does not comply with the Department\'s Enterpri&e Patch Management Program\'s\ndirectives." Fwthennore, the Department must continue to balance acceptable risk: against\noperational requirements for infonnation and infonnation systems services.\n\nRecommeadalioD 7: The Chieflnfonnation Officer should develop and implement a process\nfor local administrators on identifying vulnerabilities and applicable patches as well as\nidentifying additional government resources.\n\nThe CIO generally agrees with the recommendation, but notes the even greater potential to\nreduce vulnerabilities by remotely monitoring networks and administering patches from off-site\nlocations, thereby reducing the burden on local administrators and improving overall network\nmanagement. IRM senior management will coordinate and develop a process for oversight and\ncompliance for other hardware I software applications or systems. The Local Change Control\nBoards (CCBs) report local post patch management activity and approval of IT items to their IT\nCCB Voting Representatives and the IT CCB Change Manager. This reporting mechanism\nprovides infonnation to the Patch Management Team for tracking.\n\nRec:ommeadatloa 8: The Chief Infonnation Officer should require that a risk assessment be\nconducted on all subcomponents or a representative sample prior to reaccrediting the\nDcpanment\'s unclassified and classified networks.\n\nThe CIO agrees with the recommendation. The Department perfonned risk assessments on the\nmajor components ofOpmNet and ClassNet. For example, the Department performed a risk\n\n\n\n                                                2\n\x0c                                                                                                  Appendix B\n\n                               Department Response\n\n\n\nassessment of the software image ofwOfbtations deployed overseas through the type\naccreditation ofGITM-U and GJTM\xc2\xb7c. The systems are currently undergoing the initial phases\nofre-accreditation and will undergo more rigorous testing and scrutiny than on the first pass.\n\nRecommendation 9: The Chief Infonnation Officer should provide infonnation security\nrequiremcnts for the regional computer security officers\' enhanced evaluation and verification\nvisits.\n\nThe CIO agrees with the recommendation. As a mailer of clarification, the report\'s text should\nreflect the fact that the 2004 Roles and Responsibilities Matrix - developcdjointJy by the CIO\nand Assistant Secretary for OS - established the Evaluation and Verification (E&V) program,\nand assigned responsibility for this program to OS. The E&V program will help the Department\nmaintain a continuous monitoring capability in accordance with NIST guidante and in keeping\nwith the Department\'s resource priorities as well as help support the Systems Authorization\nprograms under CIO oversight.\n\nWith regard to E&V ovenighl, it is also important to note that OS and IRMIIA $I.lffs are\ncontinuing to work elosely to develop reporting procedures that will support the CIO in meeting\nFISMA respons.ibilities. Funhennore. OS and JRMIIA present joint quanerly briefings to the\nCIO and AS5istant SecreIary for OS detailing the progress of the E&V program.\n\nDue to limited SI.lff and ftmding availability to support the E!tV process, the CISO\'s offlCC was\nlimited to setting difCICtion and collabon.ting with OS to provldc: high-level guidance: and a\nframework for the E&V process. The CIO. through the ClSO, is acting on this ~mmenda!ion\nby ill$lituting a fonnal ovenight role using perfonnancc measurements and metriC$.\n\nRecommeadatioa 10: The ChicfInfonnation Officer should enforce the requirement for\npenetration testing as pan of the certification and accreditation process.\n\nThe CIO agrees with the TttOmmendation. Recently, NIST informed the Department that it\nintends to provide clarification on how to more effectively integrate penetration.test results of\nGeneral Support Systems into the authoriz.ation of Major Applications. The fonnal outcome of\nNIST\'s guidance will provide the Department with critical information necessary to determine\nthe mechanics, periodicity and linkage of pc:netration testing results into system authoriz.ation\nactivities.    Further, Department draft policy will be modified upon receipt of NIST\'s\nclarification.\n\nThe expected NIST clarification does Il()( change the penetralion testing requirements that the\nCIO identified and provided to the Bureau of Diplomatic Security. The testing and the\nperiodicity .sp\xc2\xab:ified in the CIO\'s directive is considered essential to the continued security\nhealth orthe Department\'S netWorks and critical applications. The results ofCS pc:oetration\ntesting will be reviewed as pan of future systems authorization activitiC$.\n\nRecommeDdatioD II: The Chief Information Officer should verify the accUTaCy ofcc:nificatMm\nand accreditation information thai is input into the informatMm technology appl~tion baseline:\n\n\n\n\n                                                ,\n\x0c                                                                                                                   Appendix B\n\n                                        Department Response\n\n\n and the State Automated Federal Information Security Management Act Reporting Environment\n databases.\n\n The CIO .agrees with the recommendation. The solution is the development and implementation\n ofthe data bridge between the Information Technology Asset Baseline (ITAS) and the State\n Automated FISMA Reporting Environment (SAFIRE). This bridge will align the data within the\n two tools and allow for easier and more accurate validation and verification, as well as offer a\n complete inventory ofsystems for the Department including C&A information associated with\n them. SAFIRE and ITAB will be feeding information to each other by 2.... quaner 2006.\n\n Recommendation 12: The Chief information Officer should implement a process that ensures\n all local administrators comply with the Department\'s security configuration guidelines, which\n includcs requiring domestic system administrators to provide quarterly security configuration\n scan results.\n\n Thc cia agrees with the recommendation, however, it should be noted except that the process\n may bc done remotely or on-site. The Department is developing a process to improve\n compliance with security configuration guidelines. Improved reports include cumulative metrics\n used to facilitate CISO E&V process oversight and input into site visit selection. The 1550\n program is supporting E&V by encouraging configuration scans and scheduling scanning tool\n training in the 1550 course.\n\n R~ommeDdatlon 13: The Chief Information Officer should require that the Chieflnfonnation\n Security Officer be included in all operational decisions that increase the risk to the\n Department\'s information security posture.\n\n The cia agrecs with the rc<:ommendation. To address the issues dted the CIO relies on the\n CISO in ensuring the security of the Department\'s information and information systems. During\n FY 2005, OS and IRMIIA staff in partnership with IRMIOPS shared information to resolve\n operational issues and address emerging policy challcnges. The cia will fonnally task all\n opcrational elements and all Department-wide security elements to include the CISO in all\n operational and policy decisions that may significantly impact the risk to the Department\'s\n infomllltion securit)\' posture.\n\n We notc that OS has continued to carry out its operational security duties in accordance with the\n Omnibus Diplomatic Securit)\' Act. These separate, but complementary, securit)\' responsibilities\n were documented and approved by the Under Secretary for Management in 200] and\n subsequently updated in 2004.\n\n Rc<:ommendatiOD 14: (b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)\n(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)\n(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)\n(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)\n(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)\n\n\n\n\n                                                             4\n\x0c                                                                                                   Appendix B\n\n                                Department Response\n\n\nRecommendalion 15: The Chief Information Officer should develop and implement procedures\nfor enforcing the annual computer security awareness-lraining requirement\n\nThe CIO agrees with the recommendation. In FY2oo5, Ihe Department implemented procedures\nthat both encourage system users to take the annual computer security awareness training and\nprovides for enforccment. All parties desiring access to the Department\'s primary network,\nOpenNet. must first complele an online training session and test. An annual training session and\ntest is required for continued system access. Enforcement ofthis policy is delegated to 1000aI\nISSOs and effet.:tiveness will be monitored by the CISO\'s office. Should enforcement prove\ninsufficient, the CISO will develop mitigating controls to improve performance.\n\nAlso, the report should nOle that the Department has, in accordarn:.:e with NIST SP SOO-16,\nidentified 13 spcdfic roles, the target audience for those roles, and the training courses available\nto meet the IA trainins requirements. This information is do<:umented in the "FY05 Information\nAssurance Training Plan." Moreover, many of the 26 roles in SP SOO-16 have been incorporated\ninto the Department\'S set of 13 specific roles. As a result, resources are fo<:used on meeting the\nlargest percentage ofsignificant employees with IT security responsibilities, specifically the\nInformation Systems Security Officers (ISSOs), Technical Security Personnel at three levels, IT\nManagers, Senior\xc2\xb7level Managers. Executives. Special Agents, Security Engineers, and OIG\nAuditors.\n\nRecommendation t 6: The Chief Information Officer should identify which employees need\ntraining for key information security functions and design and deliver the necessary role-based\ntraining.\n\nThe CIO agrees with the recommendation with comment. Since 2001, the Department has taken\nsteps to identify employees with significant IT security responsibilities. These efforts are now\ndo<:umented in the Information Assurance Training Plan. This plan identifies required security\ntraining for specific information assurance roles relevant to the Department. It is a living\ndocument and is reviewed each year to evaluate resources, priorities, and timelines. As\nadditional roles are added, additional resources will be required to design and deliver additional\nrole-based training.\n\nReeommendaCion 17: The Chief lnformation Officer should design and implement procedures\nfor ensuring that the privacy impact assessment section in the Department\'s application\ninventory system is completed for all applications.\n\nThe CIO agrees with the re<:ommendation. The Department\'s new registration process for\nInformation Technology Asset Baseline (ITAS) will incorporate mandatory privacy reponing\ninto the Department\'s application registration process. Specifically, system owners will be\nrequired to file all appropriate documentation with the Bureau of Administration\'s Senior\nAgency Official for Privacy for any information category that falls within the scope of a privacy\nimpact assessment. The system authorization process serves as an additional verification that the\napplicable do<:umentation is both complete and accurate and the commensurate security controls\nare tested.\n\n\n\n\n                                                 5\n\x0c                                                                                                 Appendix B\n\n                               Department Response\n\n\n\nRecommendatioD 18: The Chieflnformation Officer should update guidance on employee\nprivacy act responsibilities.\n\nThe Assistant Secretary for Administr.ation (Senior Agency Official for Privacy) agrees (and the\nCIO concurs) with the recommendation, which should be redirected to the Assistant Secretary\nfor Administration. Numerous effolts are underway that address the need to raise employee\nawareness of protecting privacy infonnation. A Depanment-wide training program for\nemployees and contractors is under development. Recently, the Office oflnfonnation Programs\nand Services delivered a three-day course to those employees responsible for prlX:essing\nFreedom of Infonnation Act and Privacy Act requests from the public.\n\n(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)\n(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)\nThe Department set-up an e-mail address.Privacy-DL@state.gov mailto:Privacy-\nDL\xc2\xaestate.gov>, for employees to ask privacy-related questions.\n\nThe Department has trained IT systems managers on completing Privacy Impact Assessments\nrequired by Section 208, Privacy Provisions of the E-Govemment of2002. Pan of that training\nincluded detailed guidance on their responsibilities under the Privacy Act and the handling of\npersonal information.\n\n\n\n\n                                                6\n\x0c'